Closed Squirrel1489 closed 3 years ago
In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments.
This is not urgent for the project. Upgrading to recent django is useful nevertheless. I guess 3.1.6 should be compatible with 3.1.1 but I would rather like to test it before just changing the requirements.txt file.
@allo- I understand, I am just now starting to get a feel of communicating with github repositories. I am looking into setting up codepe and code sandbox environments.
This issue needs to be fixed, so the bug is open, and I renamed it to what needs to be done. But I would like to test the change, and I cannot do it right now. As far as I understand, the problem only affects specific ways to create new projects. So I will fix it soon, but when I tested it.
When you tested it yourself, we can change it, but increasing a version without having tested it should work for micro-upgrades, but when it breaks, it breaks the project without anyone knowing before testing it themself.
So it's not about if it should be fixed, but about if I can test it when I have the time or if it needs to be fixed asap.
Oh, well I know that much... I wasn't implying as if or what should be, I'm sorry if that was miscommunicated at all. Like I said, NEW... so learning the ways to communicate over pulls and forks are new.
The new LTS 3.2 is released. It is probably a good idea to migrate to 3.2 instead.
Upgrade django to version 3.1.6 or later
I am using the dependency bot, it informed me of this.